Miroslav Lichvar from Red Hat reports that the cmdmon protocol implemented in chrony was found to be vulnerable to DDoS attacks using traffic amplification. By default, commands are allowed only from localhost, but it's possible to configure chronyd to allow commands from any address. This could allow a remote attacker to cause a DoS, which could cause excessive resource usage.

To summarize explicitly, chrony 1.19.1 has these changes to address this CVE:
- requires padding in cmdmon protocol requests. As a consequence, cmdmon responses are no longer larger than requests, avoiding traffic amplification.
- no longer send any response to hosts on on the cmdallow list